Krebs on Security

In-depth security news and investigation

Patch Tuesday, December 2018 Edition

Adobe and Microsoft each released updates today to tackle critical security weaknesses in their software. Microsoft’s December patch batch is relatively light, addressing more than three dozen vulnerabilities in Windows and related applications. Adobe has issued security fixes for its Acrobat and PDF Reader products, and has a patch for yet another zero-day flaw in Flash Player that is already being exploited in the wild.

At least nine of the bugs in the Microsoft patches address flaws the company deems “critical,” meaning they can be exploited by malware or ne’er-do-wells to install malicious software with little or no help from users, save for perhaps browsing to a hacked or booby-trapped site.

Microsoft patched a zero-day flaw that is already being exploited (CVE-2018-8611) and allows an attacker to elevate his privileges on a host system. The weakness, which is present on all supported versions of Windows, is tagged with the less severe “important” rating by Microsoft mainly because it requires an attacker to be logged on to the system first.

According to security firm Rapid7, other notable vulnerabilities this month are in Internet Explorer (CVE-2018-8631) and Edge (CVE-2018-8624), both of which Microsoft considers most likely to be exploited. Similarly, CVE-2018-8628 is flaw in all supported versions of PowerPoint which is also likely to be used by attackers.

It generally can’t hurt for Windows users to wait a day or two after Microsoft releases monthly security updates before installing the fixes; occasionally buggy patches can cause serious headaches for users who install them before all the kinks are worked out. Also, it’s a good idea to get in the habit of backing up your data before installing Windows updates.

Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.

For its part, Adobe’s got new versions of Adobe Reader and Adobe Acrobat that plug dozens of security holes in the programs. Also, last week Adobe issued an emergency patch to fix a zero-day flaw in Flash Player that bad guys are now using in active attacks.

Fortunately, the most popular Web browser by a long shot — Google Chrome — auto-updates Flash but also is now making users explicitly enable Flash every time they want to use it (Microsoft also bundles Flash with IE/Edge and updates it whenever Windows systems install monthly updates). By the summer of 2019 Google will make Chrome users go into their settings to enable it every time they want to run it.

Firefox also forces users with the Flash add-on installed to click in order to play Flash content; instructions for disabling or removing Flash from Firefox are here. Adobe will stop supporting Flash at the end of 2020.

As always, if you experience any problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips.

This entry was posted on Tuesday, December 11th, 2018 at 4:05 pm and is filed under Time to Patch.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

Considering that Microsoft is patching roughly same number of vulnerabilities every release may suggest the number is not only limited by the number of flaws they find, but maybe by the capacity of fixes they are able to produce and validate.

Meaning there is a ton of bugs that are not getting addressed and ready to be exploited….

I have to say Windows 10 is not a tested nor bug free by any measure. The core problem is that moving to 18 life cycle for a Microsoft Operating System [OS] was bad mistake. Microsoft generally takes about 4 to 5 years to harden their OS series.

For example Windows 7. Windows XP, and Windows 2000 professional took about 5 to six years to iron out the OS code and their supported lives were 5 to 10 year or 60 to 120 moths. Microsoft pushes out a new Win 10 OS with a life cycle of only 18 months. I don’t see Microsoft hardening any of its’ OS within 18 months.

The other problem is many of its modules or whole OS products are “server side” and depend upon Microsoft’s “cloud” which tends to lock in their customers and also let in hackers. The “cloud” is just not that safe yet. The cloud attack surface area is much higher than expected.

The problem is at the top. As Wikipedia notes: Satya Nadella born in Hyderabad, Telangana, India. Nadella changed the company’s direction after becoming CEO. His tenure has emphasized openness to working with companies and technologies with which Microsoft also competes, including Apple Inc., Salesforce… Under Nadella Microsoft revised its mission statement to “empower every person and every organization on the planet to achieve more”. See: ht tps://en .wikipedia. org/ wiki/Satya_Nadella [link fractured to prevent bot and scripts from auto running and so on.]

The opposite has happened with its products. This means more money for Microsoft’s coffers and less stability for it buyers.

Apple’s small mobile phones are somewhat stable but the comparison between a Microsoft OS and a cell is completely different. It is nice Microsoft is making good money under their dubious accounting changes but there loyal customers are suffering I don’t see that ending any time soon. I would suggest firing the current CEO hand hiring a competent CEO with more focus of security over churning out flawed 18 month OS systems for fast profits

Because updates are not just security fix, but contains new features, that then contains new vulnerabilities. It would be nice to have the choice to get just the security fix, without any non-requested new feature and completely redesigned user interfaces.

I have not had a Win 7 Security Monthly Rollup successfully install since Aug 18. This monthly update always fails and any attempt to “try again” also fails. Searching for this issue shows a lot of others are also having this problem. I’ve tried some of the suggestions with no success (and, no, I’m not going to edit my Registry, uninstall IE11, delete folders etc etc – one helpful tech website suggested that I uninstall and reinstall Windows – yeah, right!). All available monthly updates will successfully install except for the Security Rollups. So I have essentially given up. Any updates that successfully install, then great. If the update fails, I’ll try again and if it fails again I just let it go and don’t worry about it.

Yes, I know that I will be criticized for leaving my computer vulnerable. But exactly what are we ordinary, non-techy, home users supposed to do?

BTW, both Security and Quality Rollups for December are shown as “Optional” even though they are checked by default.

Worth reiterating because it works and I learned about this from reading this blog: when a .NET Framework update is offered, deselect it, install the other monthly updates first, and only after they’ve been successfully installed, then install any .NET framework updates. Because I haven’t done a comparison, I can’t say for sure that this actually addresses a problem with updates, but it was suggested here, I’ve implemented it, and it works for me. Free advice: worth every penny.

From memory, Microsoft supports its update system for licensed supported products.

You should be able to contact Microsoft by phone [1] and ask for help w/ the update.

In general they ask for a refundable deposit (iirc it’s $50) against a credit card. If there isn’t an official solution for the problem, they’ll refund it (roughly this covers really lazy people, assuming you’ve done your homework, it’ll be refunded). They’ll walk you through troubleshooting and eventually fix the problem.

You might be able to initiate the process using their virtual agent [2], but I’ve never done that. Personally I’ve always started w/ a phone call to them. w/ Office365 (different product category), we initiate using the console which results in a call — which will result in them pointing back to that webpage [2] (and *only* that web page) to install a remote tool.

I got a bit of a surprise when I went to check for updates on my Windows 10 Pro system. I was given the September update in place of the December updates. Fortunately, it went in without any issues and a few other anti-malware / anti-virus updates followed. Then, nothing. I waited a few minutes to see if it was going to install the December updates and when nothing happened, I manually checked for updates and the December updates came down and installed without any problems.

I’m surprised it took so long for MS to give me the September update as I have a pretty vanilla system. I have an unlocked Intel i5 processor with zero changes from the factory setting, 16GB RAM, and a 512GB Samsung SSD. No separate graphics adapter or anything else like that. I figured that when they turned the September release loose again, I’d be one of the first to get it, but that was not the cases. I’m just glad that I’m now current with no issues.

The “fix” that seems to sometimes work (9 times out of 10) is to install the individual update components separately…one at a time. And, in particular, it’s also seems to be safest to install the “Malicious Software Removal Tool” last.

“Anytime there’s a .NET Framework update available, I always uncheck those updates to install and then reboot and install the .NET updates; I’ve had too many .NET update failures muddy the process of figuring out which update borked a Windows machine after a batch of patches to do otherwise, but your mileage may vary.”

“…like service packs but at a much higher frequency than before.”- 0ut4t1m3

Why not just call them “Service Packs” as before? And, a much higher frequency than before tends to make people think of much higher mistakes that before. “Faster” doesn’t equate to better. Is that good? No. You don’t even mention the “lock-in” factor and the need to depend upon Microsoft’s on server side tasks left out of the code on the boxes. That is a form of complete dependency on Microsoft for the foreseeable future.

I have not even touched upon the constant encrypted data flow leaving the your Microsoft box which could just be “meta-data” or possibly exfiltration of documents or spying on what the customer is doing. I don’t like the “Nadella method” of forced lock in’s, and of shaking down his customers for cash with constant forced mass updates which tend to have their own flaws. I bet that in the future your OS or Office 365 will suddenly become a paid type of service with updates. If you don’t pay your documents will have faults or dissapear altogether.

Re: Windows 7 in 9 year old HP business machine, partitioned with Ubuntu

Followed the usual procedure of waiting 2 or 3 days following release to allow for large snafus to manifest. Installed Security Only December updates with no apparent problems. The next morning Firefox froze the machine, and it was necessary to reset the Windows Media Player. I suspect Google News as a contributor to the Firefox freeze, now that their old format has been eliminated. The current model slows the machine down when opened, increasing CPU usage by about 3-5 %. Even with that, browser and machine freeze were absent before the update. My takeaway: close GNews when finished.

The WMP update issue seems to happen after updates 2 or 3 times a year. No permanent problems ensue.